INFORMATION
TEACHINGS AND FACT SHEETS FOR TALENTS
DATA PROTECTION CONCEPT
TABLE OF CONTENTS
DATA PROTECTION CONCEPT
1. Introduction
2. Business-related activity and location
3. Data Protection Officer (DSB) and person responsible for data protection
4. Further training and state of the art
5. Raising awareness among employees / service providers
6. Data processing / data processing purposes
7. Data protection impact assessment
8. Description of the technical-organisational measures (TOMS)
8.1 Principles
8.2. IT infrastructure
8.3. Head of IT
8.4. Individual measures
8.4.1. Confidentiality (Art. 32 para. 1 lit. b GDPR)
8.4.2. Access control
8.4.3. Access control
8.4.4. Separation control
8.4.5. Pseudonymisation (Art. 32 para. 1 lit. a DS.-GVO; Art. 25 para. 1 GDPR)
8.4.6. Measures for encrypting the data
8.5. Integrity (An. 32 para. 1 lit. .b GDPR)
8.5.1. Transfer control
8.5.2. Input control
8.6. Availability and resilience
8.6.1. Availability control
8.6.2. Rapid recoverability
8.7. Organisational control
8.7.1. Organisational control
8.7.2. Security and risk management
8.7.3. Certification
8.7.4. Incident response management
8.7.5. Privacy-friendly default settings
8.7.6. Order control
9. Talent authentication and quality assurance
9.1. Control measures to authenticate the actual user (talent)
9.2. Quality control measures
10. Imprint and privacy statements
11. Protect data subjects' rights
11.1. Data subjects' rights: Process chains
11.2. Data breach notification: Process chain
12. Checklist for the annual control and improvement process
13. Summary
1. INTRODUCTION
This data protection concept is based on the principles formulated in Article 5(1) of the GDPR, such as purpose limitation, data minimisation, storage limitation, integrity, the right to be forgotten and confidentiality, and is lawful (Article 6 of the GDPR). The compliance with the Regulation as required by the GDPR (Art. 5(2); Art. 24(1)), the compliance with the rights of the data subjects (Art. 13-20), the obligation to report data breaches (Art. 33-34), the obligation to provide evidence and the obligation to be accountable (Art. 5(2), Art. 24(1)) is guaranteed. A control and improvement process is carried out at least once a year (Article 32, line 1), based on the checklist contained in the last chapter of this data protection concept.
2. MATERIAL AND SPATIAL ACTIVITY
We process personal data of natural persons over the age of 18 (Art 8 GDPR) in whole or in part by automated means and have our place of business in the EU:
Yoummday GmbH, Infanteriestraße 11a, House E, 80797 Munich,
Fon: +49 89 230236-03
www.yoummday.com
3. DATA PROTECTION OFFICER (DSB) AND RESPONSIBLE FOR DATA PROTECTION
If one of the following criteria applies, an external or internal DPO is necessary and must be appointed:
Processing of the data by a public authority or a public body, with the exception of the courts
YES ( )
NO (X)
Processing of personal data processing of personal data is a core activity of the organisation and/or requires extensive regular and systematic monitoring of the person concerned.
YES (X )
NO ( )
Processing of categories of personal data requiring special protection (Art. 9(1) of the GDPR) such as z. e.g. health data, ethical background, genetic or biometric data, trade union membership, etc.) is a core activity of the organisation.
YES ( )
NO (X)
Data Protection Officer:
Björn Barthelmes
Karl-Frank-Straße 35
12587 Berlin
E-mail: datenschutz@yoummday.com
4. FURTHER TRAINING AND STATE OF THE ART
Activities
- Information and training events
Organiser
- Webinars, for example at datenschutzguru.de or gruenderszene.de
other
- regular
5. RAISING AWARENESS AMONG EMPLOYEES / SERVICE PROVIDERS
It is particularly important to raise the awareness of all relevant employees, which we naturally do. Only with informed and attentive employees can security measures be implemented effectively and possible security incidents be recognised in good time.
Once the cause of a security incident has been identified, measures must be taken to address it. It is often necessary to isolate the affected IT systems or sites to contain the impact of the security incident.
The resolution of security incidents must be documented in detail.
An example of an awareness-raising/commitment to compliance with the GDPR for employees can be found in the appendix. Also in the appendix: A sample contract for commissioned data processing.
6. DATA PROCESSING/DATA PROCESSING PURPOSES
Purposes and description of the data processing operations:
- Accounting and business processing: Processing and transmission of data within the scope of business relationships with customers, talents and suppliers, as well as third parties and business partners involved in the business processing, including their respective contact persons, including automatically generated and archived text documents (such as invoices, correspondence or contracts) in these matters.
- Customer care and marketing: Service-oriented information and care of categorised customers, suppliers and third parties or business partners involved in the business process, including their respective contact persons and interested parties, including automatically created and archived text documents (e.g. correspondence) as well as the transmission of newsletters, form letters and information material.
- Operation of websites: Transmission of data within the framework of the job market (company name, contact person, telephone number, website address, job description, CV, address, user name, password); Newsletter dispatch: Information to interested parties and customers on the subject of social media. Regularly updated information about new job offers
- Website analysis: Analysis of anonymised visitor behaviour on the website for optimisation and traceability of page visits (e.g. entry and exit pages, length of stay...).
- Contact form: Contact request via the website for interested parties and customers to answer specific enquiries / Talent area: Users can log in to the website to visit a talent area.
7. DATA PROTECTION IMPACT ASSESSMENT
To the extent that the DPO determines that the intended processing is subject to a data protection impact assessment, the DPO shall notify this immediately. The procedure may only be carried out after approval by the DPO. In case of doubt, the management shall decide.
8. DESCRIPTION OF THE TECHNICAL ORGANISATIONAL MEASURES (TOMS)
8.1. Principles
As the responsible body, suitable technical and organisational measures have been taken to ensure compliance with the principles of the European Data Protection Regulation. This ensures and provides evidence that the processing is carried out in accordance with the provisions of the EU Data Protection Regulation.
The following measures serve to ensure the confidentiality of the systems and serve the:
- Ensuring the confidentiality of systems and services
- Ensuring the integrity of systems and services
- Ensuring the availability of systems and services
- Ensuring the resilience of systems and services
- Restoring the availability of and access to personal data after a physical and technical incident. Procedures for regular review,
- assessment, evaluation of the effectiveness of the above measures.
The technical and organisational measures to be taken are based on:
- State of the art
- the implementation costs
- Nature, scope, circumstances and purpose of processing
- the varying likelihood and severity of the risk to the rights and freedoms of natural persons
This ensures a level of protection for personal data that is commensurate with the risk. To maintain the level of protection, the measures are regularly reviewed and updated.
8.2. IT-Infrastruktur
see doc: Technical Setup and DP Infrastructure Az*4
8.3. Head of IT
Head of IT:
Wolfgang Maier
E-Mail: wolfgang.maier@yoummday.com
Phone: +49 89 230 236 04
8.4. Individual measures
8.4.1. Confidentiality (Art. 32 para. 1 lit. b GDPR)
Access control: protection of rooms with data processing equipment against access by unauthorised persons
Security device Property
(+) The premises where computers are housed are fenced off,
(+) Gate system with registration
Area monitoring
(+) Video surveillance with camera control,
(+) the video surveillance is marked with information signs
Access control system Building security
(+) Locking system safety lock
(+) Locking system digital lock with coded key
Central reception area
(+) All visitors must register at the reception and sign in and out of the visitors' list as well as be accompanied in the house.
Access control system for business premises
(+) Locking system security lock
(+) Locking system RFID chip
Measures in case of loss of a key/card/chip
(+) Replacement of the locking system with keys
(+) Reprogramming of the code
Monitoring systems buildings
(+) Smoke alarm system
(+) Fire alarm system
Security of the server rooms
(+) Locking system digital lock with coded key
External service providers
(+) All external craftsmen, house technicians and computer centre technicians must register at the reception before starting their work. The receptionist informs the staff member who is expecting the visit and arranges for them to be picked up. If neither the desired employee nor another employee who is familiar with the task for the external craftsman, house technician or data centre technician can be reached, no access may be granted.
Key/key allocation
(+) The keys are issued by the central building management.
(+) Each issued key is recorded in a key book or in a key management system.
Special protection of the data centre
(+) Partitioning of the data centre according to the shell principle.
(+) Access to the data centre rooms through locks.
(+) Video surveillance
(+) Motion detector
(+) Smoke detector
(+) Temperature monitoring
(+) Alarm system
8.4.2 Access control
Protection of computer systems against access by unauthorised persons
Control of password conventions
(+) Release only by administrator
Rights management
(+) A rights concept exists for rights management.
(+) All authorisations are documented in a comprehensible manner
(+) The rights are changed in the following cases
(+) Leaving of an employee
Screen lock
(+) Screen lock during absence with password identification is set up.
WLAN
(+) physical separation of the guest WLAN from the company network
Notebook security
(+) User ID and password
Automatic lock PC (e.g. password and pause switch)
(+) An automatic locking of the PC takes place after 10 minutes
Secure connection for "Remote access"
Remote access" to systems from the "home office" is only possible with own PCs and laptops under the following conditions.
(+) User ID and password or private/public key
(+) Data is transmitted encrypted
8.4.3 Access control
Access control measures are aimed at preventing unauthorised activities (e.g. unauthorised reading, copying, modification or removal) in DP systems outside of granted authorisations.
A strictly monitored authorisation concept with personal user accounts has been set up. Access to certain information is granted via a group or role concept.
Protection of data against access by unauthorised persons
Written administration concept
(+) Uniform requirements for IT security
(+) Separation of responsibilities
(+) Administrators are own employees
(+) Separation of administrator accounts according to systems and persons
Identification and authentication of administrators
(+) UserID and password or private/public key
Admin Password Conventions
(+) Character minimum length alphanumeric character set
(+) Trivial password exclusion,
(+) password entry with encrypted process,
(+) secure password files
Role-based authorisation concept
(+) A role-based user authorisation concept is set.
Restrictive rights allocation system
(+) Access authorisation always follows the principle of restrictive rights assignment.
Identification and authentication of administrators
(+) UserID and password or private/public key
Admin Password Conventions
(+) Character minimum length alphanumeric character set,
(+) Trivial password exclusion,
(+) password entry with encrypted process,
(+) secure password files
Role-based authorisation concept
(+) A role-based user authorisation concept is set.
Restrictive rights allocation system
(+) Access authorisation always follows the principle of restrictive rights assignment.
Logging of system use
(+) Logging of system usage is done via LOG files of the corresponding systems.
Access to data only via access authorisations
(+) Access to data is via a user ID and a correspondingly secure password as well as the correspondingly assigned access authorisations (roles).
Authorisations only after approval by superiors
(+) The access authorisations (roles) are requested and approved via an electronic workflow.
Rules on the withdrawal of access authorisations
(+) The revocation of access authorisations (roles) takes place via an electronic workflow.
Allocation of authorisation only by authorised persons
(+) Authorisations are only granted by authorised persons on the basis of an electronic workflow.
Control of authorisations
(+) The allocation of authorisations is checked on a regular basis.
Special authorisations
(+) Special access authorisations are only granted in exceptional cases.
Declarations of commitment for Administrators
(+) Employees are obliged to observe data secrecy, data protection and telecommunications secrecy and, if necessary, social secrecy. Sensitisation takes place upon recruitment or on a regular basis.
Training of the administrators
(+) Administrators are regularly trained to handle information safety specially trained.
Controlled destruction of data
(+) Controlled destruction of data and printouts takes place and printing by specialised, certified service providers.
8.4.4 Separation control
Separation of data sets that are processed for different purposes
Earmarking of the systems
(+) The systems are operated in accordance with the corporate data protection guideline.
Rights concept according to data purpose
(+) The rights concept is strictly based on data separation.
8.4.5 Pseudonymisation (Art. 32 para. 1 lit. a DS.-GVO; Art. 25 para. 1 DS-GVO)
If pseudonymisation is provided for data, the processing of personal data is carried out in such a way that the data can no longer be assigned to a specific data subject without the use of additional information. This additional information is stored separately and backed up with appropriate technical and organisational measures.
The following pseudonymisation procedures are used:
Anonymised identifiers, which can only be resolved with the help of a separate database.
8.4.6 Measures for encrypting the data
The aim of the measures for encrypting personal data is to protect the contents of databases from unauthorised viewing and modification.
All personal data as well as other confidential information is always transferred in encrypted form; either a secure HTTPS portal is used for this or password-protected zip files are sent electronically.
Mail encryption is possible on a reciprocal basis. The following encryption techniques are used:
- TLS encryption for e-mail traffic
8.5. Integrity (An. 32 para. 1 lit. .b DS-GVO)
8.5.1 Transfer controls with data processing equipment against access by unauthorised persons
Care shall be taken to prevent unauthorised reading, copying, modification or removal during electronic transmission or transport.
Organisational specifications for the storage of data media
(+) Internal company rules for dealing with data carriers
Protected rooms for data storage
(+) The data backups are stored either in a protected room (e.g. data protection room, data centre) externally by an appropriate service provider.
Data protection-compliant data media disposal
(+) The physical destruction of data carriers is carried out in accordance with DlN 66399 min. in security level 3).
Identification and authentication of the participants
(+) Identification and authentication of the participants is done by user ID, phone numbers, identification, password User ID
Encryption of e-mails
(+) The transmission of highly sensitive data is only encrypted
8.5.2 Input control
Documentation of whether and by whom personal data have been entered into data processing systems, changed or removed. (Logging, document management)
Proof of data entry or modification
Access regulations
(+) Access rules and user authorisations are in place, allowing identification of all users and terminals in the system.
Logging of the setup and operation of the IT system
(+) Documentation of all authorised users with rights profile
(+) Documentation for the rights of use set up.
System logs
(+) User activity is logged in system logs. Input control in database systems shall be carried out within the framework of the standard procedures supplied with the database systems delivered, which, depending on the database system, may include all inputs up to the point of entry. As far as booking journals are possible in the software systems, these are filled in.
Retention of system logs
(+) System logs are kept within the framework of legal or contractual requirements.
Logging functions
(+) The activities of the users are traceable via extensive logging functions
Change logging
(+) Changes are logged on the servers or in the programmes.
Databases
(+) Input control in database systems is carried out within the framework of the standard procedures supplied with the database systems, which, depending on the database system, may include up to the recording of all inputs
Table logging
(+) if software table logging and audit information system are available, these functions can be used to carry out an appropriate control.
8.6. Availability and resilience
8.6.1 Availability controlProtection against accidental or deliberate destruction or loss of data.
Regular data backups
(+) The data is saved in backup systems and can be extended by redundant systems. This ensures a short recovery time and high overall availability for any disaster scenarios.
Mirroring hard disks, e.g. RAID procedure
(+) Data is regularly mirrored (RAID systems), mirroring on spatially separated systems)
Uninterruptible Power supply (UPS)
(+) The data centres are protected by separate UPS systems with battery power.
Separate storage
(+) Mirroring of data takes place regularly (mirroring to spatially separated systems). Separate storage of Data takes place
Virus protection/firewall
(+) Virus scanner and firewall systems on all systems.
Backup system
(+) Systemic
Emergency plan
(+) The company has a contingency plan and corresponding manuals for maintaining the core processes in the event of a K-case. Creation and maintenance of a customer-specific K-case manual takes place regularly
8.6.2 Rapid recoverability
Emergency plans/crisis plans/disaster recovery exist for the data centres. These are documented in the backup and emergency concept. The functionality of this concept is checked at regular intervals. The emergency plans are subject to a regular review and improvement process.
8.7. Organisational control
8.7.1. Organisational control
Organisational measures to ensure the processing of personal / sensitive data
IT security concept
(+) An information security guideline is available in the current version.
Password policy
(+) The password policy is present in the current version and can be viewed on site
Data protection directive
(+) A privacy policy is in place and can be activated on site. be seen.
Data Protection Officer
(+) An external data protection officer is provided
Obligation of employees according to Art. 29 +32 DS-GVO(+) All employees are bound by data secrecy and the observance of company and business secrets and are instructed in accordance with DS-GVO, Articles 29 and 32 (4) to process personal data only on the instructions of the controller.
Obligation of employees to § 88 TKG(+) All employees must be committed to data secrecy and compliance with Art. 29 +32 DS-GVO.
Subcontractor
(+) Directive Subcontractor is available
Trainings/Training
(+) In annually obligatory trainings, all employees must update their data protection awareness. They ensure the binding implementation of the data protection and information security guidelines, which are obligatory in the company-wide intranet.
8.7.2 Security and risk management
Services are provided on the basis of an information security management system. This includes, among other things, written guidelines, processes and manuals for IT/computer centre operation. They are based on legal regulations and internally proven rules.
The security procedures used are reviewed on an ongoing basis.
A risk management system has been implemented that covers operational risks from tenders, contracts and projects. In addition, there is an IT security risk management system that deals with process-related, service-related and location-related risks.
The technical and organisational measures for data protection in accordance with Article 32 of the GDPR are regularly reviewed as part of the ISO certification. In addition, data protection-relevant issues are also taken into account during internal process audits.
8.7.3 Certification
ISO 9001:2015 Quality Management
8.7.4
Incident response management
Security incidents are handled according to standard operating procedures and tool-supported processes in order to restore trouble-free operation as quickly as possible. Security incidents are monitored and analysed in a timely manner. Depending on the type of incident, the responsible and necessary employees of the specialist departments and specialists are called in to deal with it.
8.7.5 Privacy-friendly default settings
Data protection is taken into account at the earliest possible stage through data protection-friendly default settings ("Privacy by Design and by Default") in order to prevent unlawful processing or misuse of data. Appropriate technical default settings are to ensure that, as a matter of principle, only those personal data are collected and processed that are actually required for the specific purpose (need to know principle).
In order to achieve the lowest possible risk processing of personal data, the following protective measures are implemented, among others:
- Minimise the amount of personal data Pseudonymise or encrypt data as early as possible
- Establish transparency with regard to the functions and processing data
- Delete or anonymise data as early as possible
- Minimise access possibilities to data Preset
- existing configuration options to the most data protection friendly values
8.7.6 Order control
The aim of order control is to ensure that personal data processed on behalf of a client can only be processed in accordance with the client's instructions.
All sub-service providers are selected according to defined criteria and are obliged to comply with the GDPR. A list of the sub-service providers is available.
Service providers who act as processors within the meaning of the GDPR are selected with the utmost care according to data protection criteria. These are contractually bound to the client in accordance with Article 28 of the GDPR. The technical and organisational measures for the protection of personal data specified in the contractual commitment are based on the standards described in this document. A list of the processors is available.
The employees are instructed in data protection law at regular intervals. They are therefore familiar with the client's right to issue instructions with regard to commissioned data processing, both in their role as client and in their role as contractor. Persons authorised to issue instructions on the part of the client are named and known to the contractor.
An assessment of the contractor's IT security is carried out before the contract is awarded.
Formalised contracts and order forms ensure that the rights and obligations of the parties are clearly defined in the contract. The execution of the contract is regularly checked and controlled. Instructions are always received in writing and with written confirmation.
No commissioned data processing within the meaning of Art. 28 DS-GVO takes place without corresponding instructions from the client, e.g.: Clear contract design, formalised order management, strict selection of the service provider, obligation to convince in advance, follow-up checks.
Every activity is based on an order from a customer. At a minimum, an existing contract applies. If personal data is processed, standard changes are only accepted by authorised persons of the customer.
9. TALENT AUTHENTICATION AND QUALITY ASSURANCE
Pursuant to Article 32 (1) and (2) DSGVO and Section 62 BDSG, the controller of personal data is obliged to ensure compliance with the provisions of this Act and other provisions on data protection. If he commissions other persons or bodies to process personal data, he must ensure that the processor takes the necessary technical and organisational measures in accordance with the state of the art to protect the personal data and to ensure the lawful processing of the data he processes.
Pursuant to Section 64 (3) of the BDSG, measures must be taken which, among other things, are intended to achieve the following:
- Prevention of unauthorised reading, copying, modification or deletion of data carriers (data carrier control),
- Prevention of unauthorised entry of personal data as well as unauthorised access to, modification and deletion of stored personal data (storage control),
- Preventing the use of automated processing systems with the help of data transmission equipment by unauthorised persons (user control),
- Ensuring that those authorised to use an automated processing system have access only to the personal data covered by their access authorisation (access control), ensuring that it is possible to verify and identify the entities to which
- personal data have been disclosed (access control), ensuring that it is possible to identify the entities to which personal data have been disclosed (access control)
- data has been or can be transmitted
- or made available by means of data transmission equipment (transmission control), Ensuring that it is possible to subsequently check and establish which personal data have been entered or changed in automated processing systems, at what time and by whom (input control), ensuring that personal data processed on behalf of the client can only be processed in accordance with the client's instructions (order control)
9.1. Control measures to authenticate the actual user (talent)
Frequency analysis: The voice frequencies of the user are continuously analysed and automatically checked by means of a voice comparison to see whether they match the voice frequency of the talent created during the registration process. In this way, it can also be determined whether unauthorised third parties are present in the room.
Typing behaviour: The behaviour of the user when typing on the keyboard is continuously measured. The user can be identified on the basis of the measured characteristics by comparing stored data. In particular, the takeover of the computer by another person can be recognised.
9.2. Quality control measures
Silent monitoring: Yoummday GmbH has the possibility to listen in on current conversations. On the one hand, this is done for training purposes in order to give the talent the opportunity to improve his or her conduct of the conversation through feedback from a trainer and thus achieve better results. This measure only takes place if both the interlocutor and the talent have expressly agreed to it in advance. Voice Recording: The conversations of a talent can be electronically recorded by Yoummday GmbH. However, only the spoken word of the talent, but not that of the interlocutor, is stored. As a rule, recording only takes place with the prior consent of the talent. However, in individual cases this can also take place without the knowledge and consent of the talent if there is cause for customer complaints.
10. IMPRINT AND PRIVACY STATEMENTS
GDPR-compliant on the website operated, available under the following links:
Terms-and-conditions-for-talents
11. PROTECT DATA SUBJECTS' RIGHTS
As a matter of principle, we make the current version of our data protection concept available to every user or affected party.
According to the GDPR, every data subject has the following rights:
- Right of access (Art 15 GDPR)
- Right of rectification (Art 16 GDPR)
- Right of erasure (Art 17 GDPR)
- Right of restriction (Art 18 GDPR)
- Right to portability (Art 20 GDPR)
- Right to object (Art 21 GDPR)
- Right to complain to the data protection authority
11.1. Data subjects' rights: Process chains
We are informed that a data subject wishes to assert his or her rights, e.g. verbally, in writing or by e-mail.
If the data subject is not known to us personally, we must establish the identity of the applicant (data subject) in order to avoid a data breach:
"Dear Ms/Mr ...,
As we have unfortunately not yet had the opportunity to meet you personally, we would ask you to send us a copy/scan of your identity card/passport so that we do not commit any data protection offences - such as forwarding personal data to the wrong person. We will then immediately comply with your request in terms of data protection. Thank you for your understanding.
With kind regards"
- Identity cannot be established beyond doubt and the person concerned does not contact you despite being informed: => No activities necessary.
- Identity is established beyond doubt and enquiry is Legal: The data subject receives the following answers in clear and understandable language within a maximum of 14 days, depending on his or her request, in accordance with Art. 19 of the GDPR: "Right of access (Art. 15 GDPR)".
The person concerned receives his or her master data sheet with all personal data (screen shot) as a PDF file.
Right of rectification (Art 16 GDPR)The data subject receives his master data sheet with the corrected personal data as a PDF file (screenshot).
Right to erasure (Art 17 GDPR)The data subject receives a PDF of his or her master data sheet without personal data (except name) as proof that the deletion has taken place with the note that
- the data is used anonymously for internal statistics
- after copying the master data sheet, the entire master data sheet including names was also irrevocably deleted (screenshot).
- or in the case of an existing or concluded contract with the person concerned, I will delete all data (~ marketing data) except for those where we can assert a justified interest of the person responsible according to Art 6 para 1 lit f or lit c (legal obligations e.g. BAO and UGB; especially accounting records) GDPR. According to the BAO and the UGB; above all accounting records) DSGVO and we will therefore only delete this data after 7 years due to the legal retention periods; in addition, we will delete the personal data until the end of any legal dispute, ongoing warranty or guarantee periods.
- In these cases, a blocking (restriction) takes the place of a deletion of the accounting data.
Right to restriction (Art. 18 of the GDPR)The data subject receives a PDF of his or her master data sheet, from which he or she can see that the "Right to restriction asserted" checkbox is ticked and that no processing of his or her personal data is taking place. (Screenshot)
Right to portability (Art 20 GDPR)The data subject receives his master data sheet with all personal data (as a PDF, as it should be machine-readable), pursuant to Art 20 Z2 GDPR we transmit his master data sheet with all personal data by CC to another responsible person named by the data subject by e-mail, but only via a secure and encrypted transmission. Otherwise printed out by registered letter at the expense of the data subject.
Right to complain to the data protection authority
11.2. Data breach notification: Process chain
The GDPR defines a "personal data breach" (data breach) in Art. 33 as a breach of security that results in the destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed, whether unintentional or unlawful.
- We become aware of a data breach.
- Within 72 hours we report with the help of the
- "Model Data Protection Breach Notification" (see Annex) to the competent supervisory authority pursuant to Article 55 GDPR if the personal data breach is likely to result in a risk to the rights and freedoms of natural persons.
- We inform data subjects immediately with a cover letter and a copy of the notification to the data protection supervisory authority.
- We will document all breaches of the protection of personal data including all related facts (effects, remedial measures taken). This documentation serves the supervisory authority to verify correct compliance with the notification obligation, see Art 33 Z5 DSGVO.
12. CHECKLIST FOR THE ANNUAL CONTROL AND IMPROVEMENT PROCESS
The following checklist serves as an implementation aid for checking and documenting the implementation status of the security measures for small institutions. The checklist can also be used as evidence of efforts to implement IT security.
- Are new employees made aware of existing regulations and instructions on information security when they are hired?
- Are the important key positions filled by a representative?
- Have all employees signed a data confidentiality commitment?
- Are backup media stored in a separate room?
- Are virus protection programmes installed on all clients?
- Are operating systems and applications regularly updated?
- Is there a checklist for employees on termination of employment?
- Is there user and rights management for IT systems and applications?
- Are there password regulations for IT systems and applications and are these implemented?
- Are all employees informed about the regulations on the use of standard software?
- Is only software from trustworthy sources installed?
- Are there regular checks regarding the installed software?
- Are automatic updates activated on clients and servers?
- Are there special instructions and tools for deleting and destroying data?
- Are doors and windows usually locked when staff are not in place?
- Are there lockable desks or cupboards in the offices?
- Are there anti-theft devices for IT systems in offices open to the public?
- Are lockable desks or cabinets available at the mobile workplace?
- Are there regulations governing which official documents may be processed at the home workplace and transported back and forth between the institution and the home workplace?
- Is the screen lock activated on all clients?
- Is access to the LAN from mobile laptops secured?
- Is the encryption of e-mail communication between client and server activated?
- Is the entry of the device PIN activated on all mobile phones / smartphones?
- Is all confidential data only stored encrypted on cell phones/smartphones or memory cards?
- Is the WPA2 encryption method used for WLAN?
- Are the keys for WiFi access changed regularly?
13. SUMMARY
We consider the level of data protection documented here with the TOMs set to be appropriate and sufficient for us. We can therefore say to our customers with a clear conscience:
Dear customer, dear interested party!
Trust is the basis and prerequisite for our Yoummday platform. Therefore, all your personal and professional data is also in good hands with us.
We assure you that we will handle it carefully and in strict confidence and that our data protection measures will always comply with the latest legislation and that our software and hardware will always be up to date.
You can trust in that.
Munich 03.05.2022
Date, Place, Stamp Signature
Note: An original of this data security concept with signature is stored in our archive. The digital version of the data security concept is valid without signature
CONTACT
If you have any further questions, please contact
datenschutz@yoummday.com